Spear-Phishing

by Wally Moore

on October 7, 2019

Introduction

Spear-phishing, email phishing, whaling, smishing, vishing, and angler phishing. Say what?!

Strange names. My Microsoft Word spell checker didn’t recognize them either.

But unfortunately, they are very real, causing serious problems worldwide for everyone receiving electronic communication.

Perhaps a definition will help to get us on the same page as we chat about these strange names and what they mean. More importantly, what they mean to you. The average person is going to work every day, communicating electronically in the age of the internet.

Spear-Phishing definition

Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. This is achieved by acquiring personal details on the victim, such as their friends, hometown, employer, locations they frequent, and what they have recently bought online. The attackers then disguise themselves as a trustworthy friend or entity to acquire sensitive information, typically through email or other online messaging.

Spear-phishing is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks.

Spear-phishing is one of five common phishing attacks. I’ll bet you didn’t know that; most of us don’t! I certainly didn’t before I researched this article. They’re known as:

  1. Spear-phishing
  2. Email-phishing
  3. Whaling
  4. Smishing and Vishing (combined because both use the telephone)
  5. Angler-phishing

So now we know there are about five common types of phishing attacks, let’s narrow it down to the one that is the most pressing which is Spear Phishing. Why only one? It’s the most successful form of these types of attacks.

A more definitive definition, according to the Digital Guardian, is this: https://bit.ly/2HYBw9q.

We saw spear-phishing in action recently. Here's how it went down.

A financial services company (we'll call them Acme DollarMakers) was involved in a situation where one of their investors (we'll call him Bob Smith) was attacked, and the attackers were successfully able to steal a large sum of money.

One day, Bob e-mailed Acme to request a change in the account numbers for his bank that was on file at Acme. He'd opened a new account and was needing Acme to update their records. Acme sent Bob the proper forms (after all, everything must be documented properly!), and Bob filled them out and returned them. Acme, seeing everything was in order, updated the account numbers on file.

A few days later, Bob e-mailed to request a withdrawal of some of his funds, and Acme, as instructed, transferred a large sum of money into Bob's account.

Everything's great up to here, right?

The problem: It wasn't the real Bob sending the e-mail from Bob's e-mail account.

You see, Bob had his primary e-mail account on Yahoo, which is a platform known for having past issues with major breaches and password compromises. Bob's e-mail box at Yahoo was compromised, such that an attacker was able to log in and read all of his e-mails. The attacker discovered through days of surveillance that Bob was dealing with Acme DollarMakers and the normal conversations included typical financial stuff, such as requests for money transfers between investment accounts.

A month later, Bob e-mailed again in a panic, asking where his money went. And that's when everyone involved discovered that an attacker had taken his money. A month ago.

You see, Bob made a mistake: he never changed his Yahoo password, or maybe he entered it on a Phishing screen, thinking it was the legitimate Yahoo login screen. As a result, an attacker in a far off land was simply able to log in to Yahoo as him, send messages, monitor for replies, and delete his tracks (removing sent messages, quickly reading and deleting new replies) to keep the ruse going for as long as possible. In the end, Bob fell victim to this attack.

Now, how could this situation have been prevented?

A lot of the time, it simply comes down to policy, paying attention, and taking a bit of extra time to confirm things. On Bob's part, he should have changed his Yahoo password long ago--Bob wasn't paying attention, and that neglect bit him. On Acme's part, a simple policy in place would have prevented the situation: "Any time a client requests a set-up or a change to financial account numbers, we must call them at a known-good phone number and verify verbally." If Acme had just called Bob and confirmed "your new account numbers," Bob would have immediately known something was amiss and could have blocked the transaction before things got out of hand.

Simple human mistakes. A lack of cross-checking. And the attacker made off with a fortune, without ever actually penetrating the financial services company.

Why spear-phishing is so effective.

This type of attack is also known as a social engineering attack. The “social” part of the term is one of the main reasons it’s so effective.

Machines are calculating and cold, not affected by emotion. Machines are very good at what they do. Machines can cause very real hurdles for hackers to jump over, most of the time, thwarting their attacks. So, hackers look for easier targets. It makes sense if you think about it.

But we (human beings, people, the folks) are very different.

We’re different because we can be so easily fooled and tricked, and some of us will respond when we’re emotional. That is why we get fooled and tricked in situations a machine would not.

Why would a hacker spend a bunch of time trying to fool and trick a machine when the odds of that happening are much less than they are with us, humans? Of course, hackers know this. They depend on it. It’s how they steal your money for their living: fooling busy, hard-working, emotional creatures.

Attacking a human that works for the company is much more successful than attacking a machine.

Accurately stated by Michael Mimoso, “humans trust email as a platform, and that’s [our] first downfall”

Do humans trust in emails? Some do, and I used to, but not anymore.

Having fallen prey to this myself, I nod my head yes in agreement with the statement about our first downfall of placing trust in the assumed safety of emails.

In light of this very real emotion, which is very effective, what do you do?

Memorize and repeat this saying, “technology alone is not enough to stop a hacker” whenever you think about the safety of your business and employing technology remind yourself, “technology alone is not enough to stop a hacker.” This saying will serve you well if you act upon it. Act upon it? Yes!

In addition to technology, you must employ three more layers of defense.

There are four areas to focus your defense on. They are:

  1. Hardware
  2. Software
  3. Technology – Remember our saying, “technology alone is never enough.”
  4. Training – Yourself and your employees

What can you do?

  • Get some training on what to look for
  • Learn what is going on and how to protect yourself
  • When you’ve done all that, the next thing to do is get more training and keep training! In other words, train, train and then train some more
  • Remember, as time passes, new tricks and attack methods are created. What you learn today helps for today, but tomorrow there will be new tricks you will need to become aware of. Training yourself and your employees is an ongoing process. It never ends!

The level of sophistication by hackers is constantly evolving. They’ve become so good that without a trained eye, you will not be able to tell the difference between a legitimate email and an email sent by a hacker.

They’re that good and getting better (more sophisticated) all the time.

As a former military man, I have experienced the benefits of training.

How does training work? Simple. We simulate phishing emails and send them to your employees.

It sounds mean. It’s not. Training is not meant to trap them. It’s designed to train them. Trained employees become more vigilant and another layer of defense.

Security awareness training and phishing simulations go hand in hand. As we said before, phishing has become very sophisticated and almost undetectable to the untrained eye, as criminals have found ways to make their emails as realistic as possible.

Phishing simulations we send test employees on how they would respond to a real-live phishing attack. You can track which employees have clicked on the phishing email, who has given away their password, and who has (properly) ignored the email.

Simulation training is a big deal!

Why? Because businesses now have access to an integrated platform to discover where employees’ exposure indicates the need for training.

Once a learning gap is detected, DTS InfoTech can deliver interactive educational videos to the most susceptible users. Simulated phishing tests augment the video-based training, and all focused on end-user security awareness. You can then monitor ongoing progress and visualize it within your company.

This training is very effective.

However, you may be feeling a bit overwhelmed at the moment by all the strange Phishing terms, what they mean, how the hackers do what they do and how all this applies to you and your business.

We understand. Honest, we do. It’s not easy for us either.

Here at DTS InfoTech, we have to be on our toes to keep up with the constant changes in technology, let alone how to fight a war against hackers who are hell-bent on destroying any businesses they can and stealing their money. We do keep up with the constant changes!

All that to say, you can trust us when we say, “We’re all in this together.”

Need some training? DTS InfoTech Can Help.

We’re good at spear-phishing training. Why? We have the tools, technology, expertise, and experience to train you.

We’ve partnered with ID Agent to provide world-class training for you and your employees.

We know how intimidating technology can be, we make a living helping people just like you who have questions about all things technology, and that includes award-winning training for Spear Phishing.

Most small businesses do not have the technical resources or time to understand all this geek stuff. If this describes you, we can help.

If you would like more information about training your employees give us a call, we’re always happy to chat, and the call is free!

Dedicated to your success,

Wally Moore

Business Development Manager

dts|infotech . . . secure computer networks that work

503.359.1275

www.dtsinfotech.com

GET HELP NOW